Blackhawk Consumer Privacy Policy

Last Updated: May 1, 2018

Introduction and Scope of Practices.

Blackhawk Network Holdings, Inc. and its affiliates (“Blackhawk,” “we,” “us,” or “our”) care about your personal information. This Privacy Policy (“Policy”) describes the personal data we collect, how we use this data, with whom we share it, and the choices individuals have about our use of this data. The Policy applies to the personal data Blackhawk collects about users of our websites (including www.blackhawknetwork.com) mobile applications, and the services and features therein (together the “Sites”), as well as the data we collect in providing our services (the “Services”) and when individuals communicate with us about our Sites and Services, whether in person, by telephone, by mail, or other means, unless you are notified at the time we collect your personal data that a different privacy policy applies. When we act as a data processor on behalf of another controller, we collect, use, and disclose certain personal data only under the controller’s instruction, and their privacy policy will apply to how they (and we on their behalf) process your personal data.

This Policy explains:

How we collect, use, and share information from or about you;

How our online advertisements (such as banner ads) on third party sites treat data;

Your choices about our use of your personal data;

How you can access and update your information; and

How you can exercise your rights

Sometimes, we appear on a site owned by a third party (like a Blackhawk page or handle on a social media site) or link to a third party site. When we do, that third party’s privacy policies and terms of use, not ours, will apply unless you are told otherwise. Also, some of Blackhawk’s Services are offered through banks or other financial institutions. In those cases, the third parties’ policies will govern their use of consumer data.

How We Collect Personal Data

“Personal Data" means any information relating to an identified or identifiable natural person or a combination of information that can be used to identify, contact, or locate a specific person. We may collect Personal Data directly from you, when you provide it to us. This can occur when you fill out applications, create accounts, complete a purchase, add money to your account, send in forms, take surveys, or fill in various online fields on our Sites. We also collect Personal Data when you contact us with inquiries, customer support requests, or employment applications. You do not have to provide us with your Personal Data. However, if you choose not to disclose certain information, we may not be able to provide you with certain services, such as retaining shopping cart choices.

We may also collect the Personal Data of third parties when you provide it to us. For example, if you choose to use our service to send a gift to a friend or register a family member for an account, we will ask you for their name and address or email address. In addition, we may collect third party Personal Data through our "Refer a Friend" program. Blackhawk stores this information for the sole purpose of completing the transaction. If you provide Personal Data of a friend or family member and they want us to delete this information, they should contact us at privacy@bhnetwork.com. We may not always be able to remove their Personal Data and we will let them know if we cannot do so and why.

Types of Personal Data We Collect

Information You Provide Us

We may collect the following types of Personal Data from you through our Sites and related to our Services, subject to applicable laws:

Preference information such as product wish lists, order history, or marketing preferences;

Information about your business such as company name, company size, or business type; and

Demographic information, such as age, gender, interests and ZIP code.

Where the Personal Data we collect is needed to comply with law, or to enter into or perform an agreement with you, we will inform you accordingly at the time of such data collection. If we cannot collect this data, we may be unable to on-board you as a client or provide products or services to you.

Comments, Posts and Submissions

When you submit online forms, participate in surveys, contests, promotions, or sweepstakes, join online chat discussions, request customer support, submit testimonials, we collect your Personal Data, such as contact information, and other information you choose to share. Some of our Sites offer publicly accessible blogs. Any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your Personal Data from our blog or community forum, contact us at privacy@bhnetwork.com. If we are unable to remove your Personal Information, we will let you know why.

Testimonials

We display personal testimonials of satisfied customers on some of our Sites and in print advertisements. With your consent, we may use your testimonial and your name. If you wish to update or delete your testimonial, you can contact us at privacy@bhnetwork.com.

Other Communications and Support

We collect Personal Data when you communicate with us relating to the Services, including during phone calls (and call recordings), chats, or over email. Personal Data gathered may include contact information, employment details, user preferences, and any other information you choose to share. Please only provide us Personal Data that we need in order to respond to your request.

Geolocation

With your consent, we may collect your location-based information such as to help you locate a store offering our products and services in your area. On some Sites we collect location-based information for fraud prevention purposes. You may opt out of location-based services at any time by changing the settings on your device. If you do, you might not be able to use certain features, especially when we use location-based information to prevent fraud.

Information We Collect from Third Parties

Sometimes, we may collect Personal Data from third party sources. For example, subject to applicable law, we may confirm your address with the postal service or verify your Personal Data with a credit-reporting agency. We may also receive Personal Data about you from our clients who use our Services.

Information We Collect Automatically

We automatically gather information about your use of the Sites and Services through cookies, web beacons, java script, log files, pixels, and other technologies, which may include: your domain name, browser type, browser language preference, device type and operating system, page views and links you click within the Sites, IP address, device ID or other identifier, location information, date and time stamp, and time spent using the Services, referring URL, and your activity within the Sites. See “Use of Cookies, Tracking Technologies” section for details.

Customer Service and Support: To send you important information, such as changes to terms, conditions, and policies and/or other administrative information;

Personalization: To personalize your experience on a Site or using the Services, such as by tailoring the content we send or display to you in order to personalize help and instructions, and to otherwise personalize your experience using the Services (“profiling” under EU data privacy law);

Marketing: To send you marketing communications you have signed up for; and

Advertising and Referrals: To assist in advertising the Services on third party websites and to track referrals from partner websites.

Analytics and Improvement: To better understand how users access and use the Services, and for other research and analytical purposes, such as to evaluate and improve the Services.

Verify Identity and Detect Fraud: To verify your identity and/or location in order to allow access to your accounts, conduct online transactions, and secure your Personal Data, and for risk control, fraud detection and prevention, and compliance with laws and regulations;

Protect Our Legal Rights and Prevent Misuse: To protect the Services, prevent unauthorized access and other misuse, and where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of our Terms of Use or this Privacy Policy.

Comply with Legal Obligations: To comply with the law or legal proceedings such as when required to disclose information in response to lawful requests by public authorities, including responding to national security or law enforcement disclosure requirements.

General Business Operations: Where necessary to the administration of our general business, accounting, recordkeeping and legal functions.

Aggregate and Anonymized Information

We may also generate aggregate and/or anonymized information about users for marketing, advertising, research or similar purposes. This information is not Personal Data.

Legitimate Interests under the EU’s GDPR

Purposes of Use (see above)

Legal Bases of Processing (EU Users)

Provide Our Services

Customer Service and Support

Necessary to Enter into or Perform a Contract with You (upon your request, or as necessary to make the Services available)

Our Legitimate Business Interests*

Personalization

Marketing

Advertising and Referrals

Our Legitimate Business Interests*

With Your Consent

Analytics and Improvement

Our Legitimate Business Interests**

With Your Consent

Protect Our Rights and Prevent Misuse

Verify Identity and Detect Fraud

Comply with Legal Obligation

Compliance with law

Establish, defend or protect of legal interests

General Business Operations

Our Legitimate Business Interests**

Establish, defend or protect of legal interests

Compliance with law

*For the Personal Data from the EU that we process, this column describes the relevant legal bases for such processing under GDPR (and local implementing laws of EU member states); this does not limit or modify the obligations, rights and requirements under the privacy laws of non-EU jurisdictions.

** For Personal Data from the EU, the processing is in our legitimate interests, which are not overridden by your interests and fundamental rights. We only market to EU consumers following opt-in consent.

How We Share Personal Data We Collect

We do not sell your Personal Data to third parties.

Affiliates

To the extent permitted by law, we may provide information about your transactions and experiences with other affiliated Blackhawk entities, including parent companies and subsidiaries, whose use and disclosure of your personal information is subject to this Privacy Policy. Where processing of personal data is undertaken by our affiliated companies, they are joint controllers with us for your personal data. The list of affiliate controllers is available upon request at privacy@bhnetwork.com.

Service Providers

We may provide your Personal Data to companies that provide services to us, such as shipping your order or offering customer service, payment processors, hosting providers, and other support providers. These companies are authorized to use your Personal Data only as necessary to provide these services and subject to our written instructions.

Referral Partners

We offer referral-based commission systems through third party partners so that publisher websites may refer users to our pages to make purchases. The third party partner will be identified when you sign up, and we will obtain your consent in jurisdiction where this is required. Your Personal Data collected in such cases will be owned and controlled by both Blackhawk and the partner as independent data controllers. This Policy governs Blackhawk’s use of the data. The third party’s privacy policy governs its use of the data.

Product Short Notices

Some products offered in conjunction with banks have unique data sharing agreements. Blackhawk will make available to you short privacy notices of each product’s sharing policies on its website.

Additional Disclosures

We may also disclose your Personal Data in the event of the situations below.

As permitted or required by law, such as to comply with a subpoena, or similar legal process;

When we believe in good faith that disclosure is necessary to respond to claims asserted against us, protect our rights, protect your safety or the safety of others, investigate fraud, comply with legal process (e.g., subpoenas or warrants), or respond to a government request;

If Blackhawk is involved in a merger, acquisition, or sale of all or a portion of its assets. You will be notified by email and/or by a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your Personal Data;

To any other third party with your prior consent.

Aggregate and Anonymized Information

We may share aggregate or anonymized information about users with third parties for marketing, advertising, research or similar purposes.

Cookies and Tracking

We and our third party service providers may collect information automatically when you use the Site or Services, or read our emails, including through cookies, beacons, pixels, tags, scripts, and HTML5, as well as log files.

Log files

Most browsers collect certain information, such as your IP address, device type, screen resolution, operating system version, and internet browser type and version. This information is gathered automatically and stored in log files. We may link this data to Personal Information we have collected about you.

Cookies

These are small files with a unique identifier that are transferred to your browser through our websites. These technologies allow us to collect information such as browser type, time spent on our Sites, pages visited, language preferences, and your relationship with us. We can use this information to analyze trends, administer the website, track users’ movements around the website, measure the effectiveness of our communications, tailor our advertising to you, and gather demographic information about our user base as a whole. These technologies may provide us with information about devices and networks you utilize to access our Services, and other information regarding your interactions with our Services. For detailed information about the cookies in the Services, please read and review our Cookie Policy.

You can refuse to accept cookies. You will need to manage your cookie settings for each device and browser you use. However, if you elect not to accept cookies, your use of the features on our Sites may be limited or impaired, and you may not be able to access certain features of our Sites at all. For more detailed information about these mechanisms and how we collect activity information, see our Cookie Policy.

Pixels, Web Beacons, Clear GIFs

These are tiny graphics with a unique identifier, similar in function to cookies that we use to track the online movements of users of our web pages and our Ad Services, and to personalize content. We also use these in our emails to let us know when they have been opened or forwarded, so we can indicate the effectiveness of our communications.

"Do Not Track" Preferences

Many browsers provide you an option to request that a web application disable either its tracking and/or cross site user tracking of an individual user. We do not track your online activities across different Sites, and we only track your activity within a Site to the extent you log into your account. Therefore, our practices remain the same whether or not you enable the "Do Not Track" feature. You may, however, disable certain tracking by third-parties as discussed in our Cookie Policy.

Third-Party Analytics

We also use automated devices and applications, such as Google Analytics (more info here) to evaluate use of our Services. We use these tools to gather non-personal data about users to help us improve our Services and user experiences. These analytics providers may use cookies and other technologies to perform their services, and may combine the information they collect about you on our Sites with other information they have collected for their own purposes. This Policy does not cover such uses of data by third parties.

Targeted Advertising

We partner with third party ad networks to manage our advertising on other sites. Our third party partner may use technologies such as cookies to gather information about your activities on this website and other sites in order to provide you personalized advertising based upon your browsing activities and interests.

Custom Audiences

We may share your email address or other information with our advertising partners to assist us in reaching you with more relevant ads outside of the Sites; they are not permitted to use this information for their own or third party marketing purposes.

Opting Out of Ad Networks

If you wish to not have this cross-site information used for the purpose of serving you targeted ads, you may opt-out of many ad networks by clicking here (or if located in the European Union, click here). You will continue to receive ads on the sites you visit, but the ad networks from which you have opted out will no longer target ads to you based upon your activities on other sites. Please note, however, that these opt-out mechanisms are cookie based; so, if you delete cookies, block cookies or use another device, your opt-out will no longer be effective. For more information, go to www.aboutads.info.

For more information about and to opt out of interest based ads from many ad networks, see our Cookie Policy. Note, if you delete cookies or change devices, your opt out may no longer be effective.

Social Media Widgets

Our Sites include social media features, such as the Facebook "Like" button. These features may collect your IP address, identify the page you are visiting on our website, and set a cookie to enable the feature to function properly. Social Media Widgets are either hosted by a third party or hosted directly on our website. The privacy statement of the company providing it governs your interactions with these Widgets. We will comply with any legal obligations placed on the use of these technologies by certain jurisdictions, which may affect how these Widgets function.

Security

The security of your personal information is important to us. We have implemented safeguards to protect the personal information submitted to us, both during transmission and once it is received, including encrypting the transmission of any sensitive information, such as payment card information. If you have any questions about the security of your personal information, you can contact us at privacy@bhnetwork.com.

Retention

We will retain your information for as long as your account is active or as needed to provide you services and up to a period of no longer than seven years thereafter. If you delete your account, to the extent permitted by applicable law, we may retain and use your Personal Data only as necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements.

Image Submissions and Public Directories

Some of our websites offer you the ability to upload your own image to be used to create a personalized product. You may have the option to make these images available in publicly-accessible directories. You should be aware that any information you provide in these areas may be read, collected and used by others who access them. You may request removal of your Personal Information at any time. To request removal of your Personal Data from these public forums, please email us at privacy@bhnetwork.com or contact us by postal mail at the contact information listed below. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.

Your Choices

Marketing and Newsletters

If you subscribe to our newsletters, we will use your name and email address to send them to you. You may choose to stop receiving our newsletter or marketing emails at any time by following the unsubscribe instructions included in these emails or accessing the email preferences in your account or by contacting us at privacy@bhnetwork.com.

Access and Correction

Upon your request Blackhawk will provide you with information about whether we hold any of your Personal Data. You may access, correct, update, amend, remove, ask to have it removed from a public forum, directory or testimonial on our site or deactivate it by making the change on your account page, emailing us at privacy@bhnetwork.com or by contacting us by postal mail at the contact information listed below at any time. We will endeavor to respond to your request within a reasonable time.

You may contact Blackhawk’s Global Privacy Office as set forth below to access or amend your personal data, to request that we rectify, delete or stop processing your personal data, to withdraw your consent to our processing, and, if you are an EEA resident, to exercise your opt-out rights or place a data portability request. We do not charge for these service but do require evidence of your identity. Once we have received evidence of your identity we will commence fulfillment of your request and respond within no more than thirty (30) days.

Where we are acting as a data processor, we will direct individuals who seek access, or to correct, amend, or delete inaccurate data, to direct their query to Blackhawk’s partner or client who has the direct relationship (the data controller).

EU Data Subject Rights

EU individuals have the following rights (when we are acting as a processor, individuals must exercise these rights with the data controller):

Access, Rectification, Portability and Deletion

You have the right to access your Personal Data held by us. You may do so by sending an email to privacy@bhnetwork.com. In addition, you may also have the right to request that certain Personal Data be exported to another provider where technically feasible, and under certain conditions to object to or restrict our use of certain Personal Data.

Withdraw Consent

Where we process your Personal Data on the basis of your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Object to Processing

You have the right to object to processing (including profiling) based on legitimate interest grounds, where we are relying upon legitimate interests to process Personal Information. If you object, we must stop that processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or we need to process the personal data for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.

Object to Marketing

You have the right to object to our use of your Personal Information (including profiling) for direct marketing purposes, such as when we use your personal data to invite you to our promotional events.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority.

Any requests in relation to your rights should be directed to privacy@bhnetwork.com (or at the Contact Us information shown below). Please keep in mind that certain services will not be available if you withdraw your consent, or otherwise delete or object to our processing of certain Personal Data. We will respond to your request in accordance with applicable law, and we will inform you if we do not intend to comply with your request.

Protecting Children’s Privacy Online

Our Sites are not directed to children and we do not knowingly collect information from children under 16, and we request that such individuals do not provide Personal Data through our Sites.

International Transfer

If you live in the European Economic Area ("EEA") or in Canada, the data that we collect from you may be transferred to, or accessed in, and stored at a location outside the EEA and Canada that may not provide equivalent levels of data protection as your home jurisdiction. When Blackhawk stores personal data outside the EEU, the data will be stored in the United States. We will take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which we process it, including through appropriate written data processing terms and/or data transfer agreements, by putting in place standard contractual clauses as approved by the European Commission (the form for the standard contractual clauses can be found here: EU Commission Standard Contractual Clauses) or where there is an adequacy decision by the EU Commission. It may also be processed by staff operating outside the EEA and Canada who work for us or for one of our service providers. Among other things, such staff may process and store your information and provide support services. By submitting your Personal Data, you agree to this transfer, storing or processing. We will ensure that your Personal Data is treated securely and in accordance with this Policy.

Privacy Shield Certification

Blackhawk Network, Inc. (and its subsidiary companies listed on its Privacy Shield certification page) participate in and have certified its compliance with the EU-U.S. Privacy Shield Framework. Blackhawk has committed to comply with the EU-U.S. Privacy Shield Principles in its handling of all Personal Data received from European Union (EU) member countries. To learn more about the Privacy Shield Framework or to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List by visiting https://www.privacyshield.gov/list.

Blackhawk is responsible for the processing of Personal Data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Blackhawk complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU, including the onward transfer liability provisions.

With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, Blackhawk is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Blackhawk may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. We commit to cooperate in the resolution of disputes with individuals through this process.

Updates to This Policy

This Policy may be subject to change. Please review it from time to time. If we make material changes to this Policy about how we process your Personal Information, we will post those changes on this page and revise the "Last Updated" date at the top. Any changes will become effective when we post the revised Policy. If we make any material changes, we will notify you by email or by means of a prominent notice on this Site prior to the change becoming effective, and where required by law, we will obtain your consent or give you the opportunity to opt out of such changes.

Contact Information

If you have any questions or concerns regarding the way in which your personal data is being processed or you want to exercise your rights above, please reach out to us using the contact information below:

Where we act as joint controllers with our affiliates, you may contact Blackhawk Network, Inc. or our EU Data Protection Officer, and we will work with our affiliates to properly respond to your inquiry or request.

EU Inquiries

If you are an EU individual and have any further queries or complaints that we are not able to answer, you should contact the Data Privacy Supervisory Authority for the country in which you reside: